Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

People who like this

6 Answers

What I've been doing is just getting the RSA to send snmptraps to my splunk server then have splunk monitor and index those events from the file, this will get you all the login/logout events, etc. I also incorporate a scripted input to snmpget specific values from the RSA. From there it's not too hard to write a regex or do field extractions to get the relevant data you need.

Thank you for the comment and Splunk App. Let I discuss about RSA Logger integration with Splunk. SNMP trap from RSA usually be system event or correlation logs, but I want to integrated Splunk to get raw logs from RSA. Can we export raw logs from RSA Log receiver to Splunk or can RSA log forwarder sent to Splunk and Splunk forward to RSA Log receiver.

The SNMP traps capture whatever you set the "Administrative/Runtime/System Audit Log Trap Level" to. If you set them all to Success then it will capture all actions initiated by all users, administrators and the device itself.

Is there more data you are looking for?

Depending on if you are running the appliance or AM is installed on your own standalone machine, you can configure a public key for the emcsrv account and use rsync to remotely grab data from the machine to pull down to Splunk for indexing and parsing. I never covered this approach in my app since it's bad security practice.

Santisookgable, if I understand correctly, you have an Network environment being monitored and various logs are being sent through syslog and RSA agents to the RSA collector before they are then sent on to EnVision and you are wanting to intercept the logs on the collectors to have them forwarded on to as Splunk?

If so I am also looking for the same information. Please share whatever you might find out on this. Thanks.

lsdata is your friend, I managed to use it successfully to export Cisco ASA logs (intact), save them to a local file on the enVision appliance and then pull them from the Splunk server side via SMB file share. This involves batch jobs on both sides.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.